Location Weaknesses in this category are organized based

Commentaires

Transcription

Location Weaknesses in this category are organized based

Encoding Error
The software fails to properly handle encoding or decoding of the
data, resulting in unexpected values.
Failure to Resolve Case Sensitivity
Improperly handled case sensitive data can lead to several possible
consequences, including: - case-insensitive passwords reducing
the size of the key space, making brute force attacks easier bypassing filters or access controls using alternate names multiple interpretation errors using alternate names.
Incorrect Behavior Order: Early Validation
Software needs to validate data at the proper time, after data has
been canonicalized and cleansed. Early validation is susceptible
to various manipulations that result in dangerous inputs that
are produced by canonicalization and cleansing.
Incorrect Behavior Order: Validate Before Canonicalize
Software "validates" data before it is canonicalized, which
leaves it vulnerable to certain manipulations that are later
removed during canonicalization. Invalid data can then avoid
detection before it is produced by canonicalization.
Incorrect Behavior Order: Validate Before Filter
Software validates data before it has been filtered or cleansed, which
could produce dangerous data after the filtering step.
Cleansing, Canonicalization, and Comparison Errors
Weaknesses in this category are related to improper handling of data
within protection mechanisms that attempt to perform sanity
checks for untrusted data.
Collapse of Data Into Unsafe Value
Software cleanses or filters data in a way that causes the data to
"collapse" into an unsafe value.
Permissive Whitelist
An application uses a "whitelist" of acceptable values, but
the whitelist permits at least one unsafe value.
Incomplete Blacklist
An application uses a "blacklist" of prohibited values, but
the blacklist is incomplete.
Regular Expression Error
A regular expression is incorrectly specified in a way that causes
data to be improperly filtered, compared, or cleansed.
Partial Comparison
Improper Null Termination
User input is only partially compared to the desired input before a
match is determined. For example, an attacker might succeed in
authentication by providing a small password that matches the
associated portion of the larger, correct password.
The software does not properly terminate a string or array with a null
character or equivalent terminator. Null termination errors
frequently occur in two different ways. An off-by-one error
could cause a null to be written out of bounds, leading to an
overflow. Or, a program could use a strncpy() function call
incorrectly, which prevents a null terminator from being added
at all. Other scenarios are possible.
General Special Element Problems
Every language has its own special elements such as characters and
reserved words. The following weaknesses (under this category)
are expressed in general terms. Technology-specific problems
that involve special elements, such as cross-site scripting and
SQL injection, are covered in another CWE node.
Technology-Specific Special Elements
Weaknesses in this category are related to improper handling of
special elements within particular technologies.
Failure to Sanitize Special Elements
The software fails to prevent the introduction of special elements
with control implications into a mixed data / control stream.
Other Intentional, Nonmalicious Weakness
Other kinds of intentional but nonmalicious security flaws are
possible. Functional requirements that are written without
regard to security requirements can lead to such flaws; one of
the flaws exploited by the "Internet worm" [3] (case
U10) could be placed in this category.
Intentionally Introduced Nonmalicious Weakness
Nonmalicious introduction of weaknesses into software can still render
it vulnerable to various attacks.
Weaknesses that Affect System Processes
Covert Channel
A covert channel is simply a path used to transfer information in a
way not intended by the system’s designers. Typically the system
has not given authorization for the transmission and has no
knowledge of its occurrence.
Weaknesses in this category affect system process resources during
process invocation or inter-process communication (IPC).
Weaknesses that Affect Memory
Weaknesses in this category affect memory resources.
Weaknesses that Affect Files or Directories
Weaknesses in this category affect file or directory resources.
Motivation/Intent
This category intends to capture the motivations and intentions of
developers that lead to weaknesses that are found within CWE.
Intentionally Introduced Weakness
Weaknesses in this category were intentionally introduced by the
developer, typically as a result of prioritizing other aspects
of the program over security, such as maintenance.
Inadvertently Introduced Weakness
Inadvertent flaws may occur in requirements; they may also find their
way into software during specification and coding. Although many
of these are detected and removed through testing, some flaws
can remain undetected and later cause problems during operation
and maintenance of the software system. For a software system
composed of many modules and involving many programmers, flaws
are often difficult to find and correct because module
interfaces are inadequately documented and global variables are
used. The lack of documentation is especially troublesome during
maintenance when attempts to fix existing flaws often generate
new flaws because maintainers lack understanding of the system
as a whole. Although inadvertent flaws do not usually pose an
immediate threat to the security of the system, the weakness
resulting from a flaw may be exploited by an intruder (see case
D1).
Type Errors
Embedded Malicious Code
Weaknesses in this category are caused by improper data type
transformation or improper handling of multiple data types.
The application contains code that appears to be malicious in nature.
Reliance on Data/Memory Layout
The software makes invalid assumptions about how protocol data or
memory is organized at a lower level, resulting in unintended
program behavior.
Representation Errors
Weaknesses in this category are introduced when inserting or
converting data from one representation into another.
Structure and Validity Problems
Weaknesses in this category are related to improper handling of data
that is invalid and/or improperly structured.
Integer Coercion Error
Integer coercion refers to a set of flaws pertaining to the type
casting, extension, or truncation of primitive data types.
Integer Overflow (Wrap or Wraparound)
An integer overflow condition exists when an integer that has not been
properly sanity checked is used in the determination of an
offset or size for memory allocation, copying, concatenation, or
similarly. If the integer in question is incremented past the
maximum possible value, it may wrap to become a very small, or
negative number, therefore providing an unintended value.
Divide By Zero
The product divides a value by zero.
Numeric Errors
Weaknesses in this category are related to improper calculation or
conversion of numbers.
Incorrect Conversion between Numeric Types
When converting from one data type to another, such as long to
integer, data
can be omitted or
incorrectly translated, resulting in unexpected values. If
the resulting values are used in a sensitive
context, then dangerous
behaviors may
occur.
Incorrect Calculation
The software performs a calculation that
generates incorrect or unintended results that
are later used in security-critical decisions
or resource management.
Information Leak (Information Disclosure)
An information leak is the intentional or unintentional disclosure of
information that either (1) is regarded as sensitive within the
product’s own functionality, such as a private message, or (2)
provides information about the product or its environment that
could be useful in an attack but is normally not available to
the attacker, such as the installation path of a product that is
remotely accessible. Many information leaks are resultant (e.g.
path disclosure in PHP script error), but they can also be
primary (e.g. timing discrepancies in crypto). There are many
different types of problems that involve information leaks.
Their severity can range widely depending on the type of
information that is leaked.
Containment Errors (Container Errors)
This tries to cover various problems in which improper data are
included within a "container."
Information Management Errors
Weaknesses in this category are related to improper handling of
sensitive information.
Data Handling
Information Loss or Omission
Weaknesses in this category are typically found in functionality that
processes data.
The software does not record, or improperly records, security-relevant
information that leads to an incorrect decision or hampers later
analysis.
Incorrect Output Sanitization
The software does not sufficiently sanitize output before it is sent
to a different control sphere.
Often Misused: String Management
String Errors
Weaknesses in this category are related to the creation and
modification of strings.
Functions that manipulate strings encourage buffer overflows.
Uncontrolled Format String
The software uses externally-controlled format strings in printf-style
functions, which can lead to buffer overflows or data
representation problems.
Range Errors
Weaknesses in this category occur when expected boundaries can be
exceeded.
Struts: Duplicate Validation Forms
The application uses multiple validation forms with the same name,
which might cause the Struts Validator to validate a form that
the programmer does not expect. This could introduce other
weaknesses and indicates that validation logic is not
up-to-date.
Struts: Incomplete validate() Method Definition
The applicat
Struts Validation Problems
Weaknesses in this category are caused by inadequately implemented
protection schemes that use the STRUTS framework.
Technology-Specific Input Validation Problems
Weaknesses in this category are caused by inadequately implemented
input validation within particular technologies.
Direct Use of Unsafe JNI
When a Java application uses the Java Native Interface (JNI) to call
code written in another programming language, it can expose the
application to weaknesses in that code, even if those weaknesses
cannot occur in Java.
Insufficient Input Validation
The product has an absent or incorrect protection mechanism that fails
to properly validate input that can affect the control flow or
data flow of a program.
UNIX Hard Link
Failure for a system to check for hardlinks can result in
vulnerability to different types of attacks. For example, an
attacker can escalate their privileges if an he/she can replace
a file used by a privileged program with a hardlink to a
sensitive file (e.g. etc/passwd). When the process opens the
file, the attacker can assume the privileges of that process.
UNIX Symbolic Link (Symlink) Following
A software system that allows UNIX symbolic links (symlink) as part of
paths whether in internal code or through user input can allow
an attacker to spoof the symbolic link and traverse the file
system to unintended locations or access arbitrary files. The
symbolic link can permit an attacker to read/write/corrupt a
file that they originally did not have permissions to access.
Windows Shortcut Following (.LNK)
UNIX Path Link Problems
Weaknesses in this category are related to improper handling of links
within Unix-based operating systems.
Windows Path Link Problems
Weaknesses in this category are related to improper handling of links
within Windows-based operating systems.
Windows Virtual File Problems
Weaknesses in this category are related to improper handling of
virtual files within Windows-based operating systems.
Mac Virtual File Problems
Weaknesses in this category are related to improper handling of
virtual files within Mac-based operating systems.
A software system that allows Windows shortcuts (.LNK) as part of
paths whether in internal code or through user input can allow
an attacker to spoof the symbolic link and traverse the file
system to unintended locations or access arbitrary files. The
shortcut (file with the .lnk extension) can permit an attacker
to read/write a file that they originally did not have
permissions to access.
Windows Hard Link
Failure for a system to check for hardlinks can result in
vulnerability to different types of attacks. For example, an
attacker can escalate their privileges if an he/she can replace
a file used by a privileged program with a hardlink to a
sensitive file (e.g. etc/passwd). When the process opens the
file, the attacker can assume the privileges of that process or
possibly prevent a program from accurately processing data in a
software system.
Failure to Handle Windows ::DATA Alternate Data Stream
Alternate data streams (ADS) were first implemented in the Windows NT
operating system to provide compatibility between NTFS and the
Macintosh Hierarchical File System (HFS). In HFS, data and
resource forks are used to store information about a file. The
data fork provides information about the contents of the file
while the resource fork stores metadata such as file type. An
attacker can use an ADS to hide information about a file (e.g.
size, the name of the process) from a system or file browser
tools such as Windows Explorer and ’dir’ at the command line
utility.
Apple ’.DS_Store’
Software operating in a MAC OS environment where .DS_Store is in
effect must carefully manage hard links otherwise an attacker
may be able to leverage a hard link from .DS_Store to overwrite
arbitrary files and gain privileges.
Apple HFS+ Alternate Data Stream
The Apple HFS+ file system permits files to have multiple data input
streams. If an attacker can create/access a data input stream
directly or indirectly (e.g. through Apache), then he/she may be
able to access the file data or resource fork.
Empty Password in Configuration File
Using an empty string as a password is insecure.
Hard-Coded Password
Hard coded passwords may compromise system security in a way that
cannot be easily remedied. It is never a good idea to hardcode a
password. Not only does hardcoding a password allow all of the
project’s developers to view the password, it also makes fixing
the problem extremely difficult. Once the code is in production,
the password cannot be changed without patching the software. If
the account protected by the password is compromised, the owners
of the system will be forced to choose between security and
availability.
Weak Cryptography for Passwords
Obscuring a password with a trivial encoding does not protect the
password.
Weak Password Requirements
The product does not require that users should have strong passwords,
which makes it easier for attackers to compromise user accounts.
Credentials Management
Weaknesses in this category are related to the management of
credentials.
Insufficiently Protected Credentials
This weakness occurs when the application transmits or stores
authentication credentials and uses an insecure method that is
susceptible to unauthorized interception and/or retrieval.
Missing Password Field Masking
The software fails to mask passwords during entry, increasing the
potential for attackers to observe and capture passwords.
Unverified Password Change
When setting a new password for a user, the product does not require
knowledge of the original password, or using another form of
authentication.
Incorrect Privilege Assignment
Weak Password Recovery Mechanism
Privilege Defined With Unsafe Actions
It is common for an application to have a mechanism that provides a
means for a user to gain access to their account in the event
they forget their password. Very often the password recovery
mechanism is weak which has the effect of making it more likely
that it would be possible for a person other than the legitimate
system user to gain access to that user’s account. This
weakness may be that the security question is too easy to guess
or find an answer to (e.g. because it is too common). Or there
might be an implementation weakness in the password recovery
mechanism code that may for instance trick the system into
e-mailing the new password to an e-mail account other than that
of the user. There might be no throttling done on the rate of
password resets so that a legitimate user can be denied service
by an attacker if an attacker tries to recover their password in
a rapid succession. The system may send the original password
to the user rather than generating a new temporary password. In
summary, password recovery functionality, if not carefully
designed and implemented can often become the system’s weakest
link that can be misused in a way that would allow an attacker
to gain unauthorized access to the system. Weak password
recovery schemes completely undermine a strong password
authentication scheme.
Privilege / Sandbox Issues
A variety of vulnerabilities occur with improper handling, assignment,
or management of privileges. These are especially present in
sandbox environments, although it could be argued that any
privilege problem occurs within the context of some sort of
sandbox. Note: can heavily overlap authorization errors
A product incorrectly assigns a privilege to a particular entity.
A particular privilege, role, capability, or right can be used to
perform unsafe actions that were not intended, even when it is
assigned to the correct entity. Note: there are 2 separate
sub-categories here: - privilege incorrectly allows entities to
perform certain actions - object is incorrectly accessible to
entities with a given privilege This overlaps authorization and
access control problems.
Privilege Chaining
Two distinct privileges, roles, capabilities, or rights can be
combined in a way that allows an entity to perform unsafe
actions that would not be allowed without that combination.
Privilege Management Error
A product does not properly track, modify, record, or reset
privileges.
Privilege Context Switching Error
The software does not properly manage privileges while it is switching
between different contexts that cross privilege boundaries.
Privilege Dropping / Lowering Errors
In some contexts, a system executing with elevated permissions will
hand off a process/file/etc. to another process/user. If the
privileges of an entity are not reduced, then elevated
privileges are spread throughout a system and possibly to an
attacker.
Failure to Handle Insufficient Privileges
The software does not handle when it has insufficient privileges to
perform an operation.
Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that
resolves to a resource that is outside of the intended control
sphere.
Improper Use of Privileged APIs
When an application contains certain functions that perform operations
requiring an elevated level of privilege on the system and
callers of these APIs are not careful in ensuring that
assumptions made by these APIs are valid, do not account for
weaknesses in design/implementation of the privileged APIs, call
these APIs from an unsafe or unexpected context, or pass/receive
data to or from the privileged function that may allow a
malicious user or process to elevate their privilege, the stage
might be set for escalation of privilege, process hijacking or
theft of sensitive data. For instance, it is important to know
if privileged APIs fail to properly shed their privileges before
returning to the caller or if the privileged function might make
certain assumptions about the data, context or state information
passed to it by the caller. It is important to always know when
and how privileged APIs can be called in order to ensure that
their elevated level of privilege cannot be exploited.
Insecure Default Permissions
A program, upon installation, sets insecure permissions for an object.
Insecure Inherited Permissions
A product defines a set of insecure permissions that are inherited by
objects that are created by the program.
Insecure Preserved Inherited Permissions
A product inherits a set of insecure permissions for an object, e.g.
when copying from an archive file, without user awareness or
involvement.
Insecure Execution-assigned Permissions
Permission Issues
Weaknesses in this category are related to improper assignment or
handling of permissions.
A product, while it is executing, changes the permissions of an object
in an insecure way that cannot be controlled by the user.
Failure to Handle Insufficient Permissions or Privileges
The application does not properly handle when it has insufficient
permissions or privileges to access resources or system
functionality, causing it to follow unexpected code paths that
may leave the application in an invalid state.
Permission Preservation Failure
The software does not properly preserve permissions when copying,
restoring, or sharing objects, which can cause them to have less
restrictive permissions than intended.
Permission Race Condition During Resource Copy
Improper Ownership Management
The product, while copying or cloning a resource, does not set the
resource’s permissions or access control until the copy is
complete, leaving the resource exposed to other spheres while
the copy is taking place.
The software assigns the wrong ownership, or does not properly verify
the ownership, of an object or resource.
Permissions, Privileges, and Access Controls
Weaknesses in this category are related to the management of
permissions, privileges, and other security features that are
used to perform access control.
Access Control Issues
Improper administration of the permissions to the users of a system
can result in unintended access to sensitive files. An access
control list (ACL) represents who/what has permissions to a
given object. Different operating systems implement (ACLs) in
different ways. In UNIX, there are three types of permissions:
read, write, and execute. Users are divided into three classes
for file access: owner, group owner, and all other users where
each class has a separate set of rights. In Windows NT, there
are four basic types of permissions for files: "No
access", "Read access", "Change
access", and "Full control". Windows NT extends
the concept of three types of users in UNIX to include a list of
users and groups along with their associated permissions. A user
can create an object (file) and assign specified permissions to
that object.
User Management Issues
Improper administration of the permissions to the users of a system
can result in unintended access to sensitive files. Users can be
assigned to the wrong group (class) of permissions resulting in
unintended access rights to sensitive objects. This item needs
more work. Possible sub-categories include: - user in wrong
group - user with insecure profile / "configuration"
Use of Hard-coded Cryptographic Key
The use of a hard-coded cryptographic key significantly increases the
possibility that encrypted data may be recovered
Key Exchange without Entity Authentication
Key Management Errors
Weaknesses in this category are related to errors in the management of
cryptographic keys.
Performing a key exchange without verifying the identity of the entity
being communicated with will preserve the integrity of the
information sent between the two entities; this will not,
however, guarantee the identity of the end entity.
Reusing a Nonce, Key Pair in Encryption
Nonces should be used for the present occasion and only once.
Failure to Encrypt Sensitive Data
The failure to encrypt data passes up the guarantees of
confidentiality, integrity, and accountability that properly
implemented encryption conveys.
Missing Required Cryptographic Step
Cryptographic implementations should follow the algorithms that define
them exactly otherwise encryption can be faulty.
Cryptographic Issues
Weaknesses in this category are related to the use of cryptography.
Weak Encryption
Insufficiently strong encryption schemes may not adequately secure
secret data from attackers. Attackers can guess or use brute
force attacks to break weakly encrypted schemes.
Reversible One-Way Hash
The product uses a hashing algorithm that produces results that can
allow an attacker to determine the original input - or an input
that generates the same hash - using feasible brute force or
custom attacks.
Not Using a Random IV with CBC Mode
Not using a random initialization Vector (IV) with Cipher Block
Chaining (CBC) Mode causes algorithms to be susceptible to
dictionary attacks.
Product UI does not Warn User of Unsafe Actions
Software systems should warn users that a potentially dangerous action
may occur if the user proceeds. For example, if the user
downloads a file from an unknown source and attempts to execute
the file on their machine, then the GUI of an application can
indicate that the file is unsafe.
User Interface Security Issues
Weaknesses in this category are related to or introduced in the User
Interface (UI).
Insufficient UI Warning of Dangerous Operations
A user interface provides a warning to a user regarding dangerous or
sensitive operations, but the warning is not noticeable enough
to warrant attention.
Certificate Issues
A certificate is a token that associates an identity (principle) to a
cryptographic key. Certificates can be used to check if a public
key belongs to the assumed owner. Certificates should be
carefully managed and checked to assure that data are encrypted
with the intended owner’s public key.
Insufficient Authentication
The software does not properly ensure that the user has proven their
identity.
Use of Insufficiently Random Values
The software may use insufficiently random numbers or values in a
security context that requires unpredictable numbers.
Insufficient Verification of Data Authenticity
Security Features
Software security is not security software. Here we’re concerned with
topics like authentication, access control, confidentiality,
cryptography, and privilege management.
The software does not sufficiently verify the origin or authenticity
of data, in a way that causes it to accept invalid data.
Improperly Implemented Security Check for Standard
The software does not properly implement one or more security-relevant
checks as specified by the design of a standardized algorithm,
protocol, or technique.
Privacy Violation
Mishandling private information, such as customer passwords or social
security numbers, can compromise user privacy and is often
illegal.
Trust of System Event Data
Security based on event locations are insecure and can be spoofed.
Use of Cookies in Security Decision
Attackers can easily modify cookies, and reliance without detailed
validation can lead to problems like SQL injection and other
errors.
Design Principle Violation: Client-Side Enforcement of Server-Side
Security
The client can be modified by an attacker in a way that bypasses
protection mechanisms that are not common to both the client
and server.
Protection Mechanism Failure
The product does not use a protection mechanism that provides
sufficient defense against directed attacks against the product.
Incomplete Internal State Distinction
The software does not properly determine which state it is in, causing
it to assume it is in state X when in fact it is in state Y,
causing it to perform incorrect operations in a
security-relevant manner.
Mutable Objects Passed by Reference
Sending non-cloned mutable data as an argument may result in that data
being altered or deleted by the called function, thereby putting
the calling function into an undefined state.
Passing Mutable Objects to an Untrusted Method
State Issues
Weaknesses in this category are related to improper management of
system state.
Sending non-cloned mutable data as a return value may result in that
data being altered or deleted by the calling function, thereby
putting the class in an undefined state.
Empty Synchronized Block
The software contains an empty synchronized block.
External Control of User State Data
An application manages user state information in a way that it can be
tampered with by the user of an application to give him or her
an elevated level of access to the data handled by the
application and/or its functionality. An application may store
user state on the client in a way that enables tampering. For
instance, state information can be stored in a cookie, in a
hidden web form field or in some other settings file stored
locally. State information may also be passed as a query
parameter through the URL or come in a form of some identifier
set by one page in the application and consumed by another to
signify state information. In each of these cases, chances are
that application user can tamper with the state information.
Whenever an application cannot definitively and unambiguously
control its own state information and state information for each
of the application users, there is insufficient management of
user state that may potentially be exploited by attackers.
Insecure Temporary File
Creating and using insecure temporary files can leave application and
system data vulnerable to attack.
Creation of Temporary File With Insecure Permissions
Temporary File Issues
Weaknesses in this category are related to improper handling of
temporary files.
Opening temporary files without appropriate measures or controls can
leave the file, its contents and any function that it impacts
vulnerable to attack.
Creation of Temporary File in Directory with Insecure Permissions
On some operating systems, the fact that the temp file exists may be
apparent to any user.
J2EE Time and State Issues
J2EE Bad Practices: Direct Use of Threads
Weaknesses in this category are related to improper handling of time
or state within J2EE.
Thread management in a Web application is forbidden in some
circumstances and is always highly error prone.
Call to Thread run() instead of start()
Technology-Specific Time and State Issues
Weaknesses in this category are related to improper handling of time
or state within particular technologies.
The program calls a thread’s run() method instead of calling start(),
which causes the code to run in the thread of the caller instead
of the callee.
Concurrency Issues
Weaknesses in this category are related to concurrent use of shared
resources.
Race Condition
The code does not properly control when an unmodifiable state is
required between two operations, but a timing window exists in
which the state can be modified by an untrusted actor or
process.
Covert Timing Channel
Covert channels are frequently classified as either storage or timing
channels. Timing channels convey information by modulating some
aspect of system behavior over time, so that the program
receiving the information can observe system behavior (e.g., the
system’s paging rate, the time a certain transaction requires to
execute, the time it takes to gain access to a shared bus) and
infer protected information.
Time and State
Distributed computation is about time and state. That is, in order for
more than one component to communicate, state must be shared,
and all that takes time. Most programmers anthropomorphize their
work. They think about one thread of control carrying out the
entire program in the same way they would if they had to do the
job themselves. Modern computers, however, switch between tasks
very quickly, and in multi-core, multi-CPU, or distributed
systems, two events may take place at exactly the same time.
Defects rush to fill the gap between the programmer’s model of
how a program executes and what happens in reality. These
defects are related to unexpected interactions between threads,
processes, time, and information. These interactions happen
through shared state: semaphores, variables, the file system,
and, basically, anything that can store information.
Symbolic Name not Mapping to Correct Object
A constant symbolic reference to an object is used, even though the
reference can resolve to a different object over time.
Signal Errors
The software does not properly handle or manage a signal.
Insufficient Synchronization
The software attempts to use a shared resource in an exclusive manner,
but fails to prevent use by another thread or process.
Insufficient Control of a Resource Through its Lifetime
The software does not correctly initialize, use, or release a resource
according to its specifications.
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong sphere, in ways that are
not related to incorrectly specified permissions.
Incorrect Resource Transfer Between Spheres
The product does not properly transfer a resource/behavior to another
sphere, or improperly imports a resource/behavior from another
sphere, in a manner that provides unintended control over that
resource.
External Influence of Sphere Definition
The product does not prevent the definition of control spheres from
external actors.
Session Fixation
Authenticating a user, or otherwise establishing a new user session,
without invalidating any existing session identifier gives an
attacker the opportunity to steal authenticated sessions. Such a
scenario is commonly observed when: 1. A web application
authenticates a user without first invalidating the existing
session, thereby continuing to use the session already
associated with the user 2. An attacker is able to force a known
session identifier on a user so that, once the user
authenticates, the attacker has access to the authenticated
session 3. The application or container uses predictable session
identifiers. In the generic exploit of session fixation
vulnerabilities, an attacker creates a new session on a web
application and records the associated session identifier. The
attacker then causes the victim to associate, and possibly
authenticate, against the server using that session identifier,
giving the attacker access to the user’s account through the
active session.
Uncaught Exception
Failing to catch an exception thrown from a dangerous function can
potentially cause the program to crash.
Unchecked Return Value
Ignoring a method’s return value can cause the program to overlook
unexpected states and conditions.
Detection of Error Condition Without Action
Sometimes an error is detected, and bad or no action is taken.
Unchecked Error Condition
Ignoring exceptions and other error conditions may allow an attacker
to induce unexpected behavior unnoticed.
Failure to Report Error in Status Code
The software encounters an error but does not return a status code or
return value to indicate that an error has occurred.
Error Conditions, Return Values, Status Codes
If a function in a product does not generate the correct return/status
codes, or if the product does not handle all possible
return/status codes that could be generated by a function, then
security issues may result. This type of problem is most often
found in conditions that are rarely encountered during the
normal operation of the product. Presumably, most bugs related
to common conditions are found and eliminated during development
and testing. In some cases, the attacker can directly control or
influence the environment to trigger the rare conditions.
Return of Wrong Status Code
A function or operation returns an incorrect return value or status
code that does not indicate an error, but causes the product to
modify its behavior based on the incorrect result, in a way that
leads to unpredictable behavior.
Unexpected Status Code or Return Value
The software does not properly check when a function or operation
returns a value that is legitimate for the function, but is not
expected by the software.
Use of NullPointerException Catch to Detect NULL Pointer Dereference
Catching NullPointerException should not be used as an alternative to
programmatic checks to prevent dereferencing a null pointer.
Declaration of Catch for Generic Exception
Catching overly broad exceptions promotes complex error handling code
that is more likely to contain security vulnerabilities.
Declaration of Throws for Generic Exception
Missing Error Handling Mechanism
Error Handling
Error handling problems occur when an application does not properly
handle errors that occur during processing. An attacker may
discover this type of error, as forcing these errors can occur
with a variety of corrupt input.
The application does not contain a standard error handling mechanism,
which might introduce inconsistent error handling and resultant
weaknesses.
Throwing overly broad exceptions promotes complex error handling code
that is more likely to contain security vulnerabilities.
Return Inside Finally Block
The code has a return statement inside a finally block, which will
cause any thrown exception in the try block to be discarded.
Failure to Catch All Exceptions (Missing Catch Block)
A Servlet fails to catch all exceptions, which may reveal sensitive
debugging information.
Function Call with Incorrectly Specified Arguments
The product calls a function, procedure, or routine with arguments
that are not correctly specified, leading to always-incorrect
behavior and resultant weaknesses.
Often Misused: Arguments and Parameters
Weaknesses in this category are related to improper use of arguments
or parameters within function calls.
Failure to Fulfill API Contract (aka ’API Abuse’)
The software uses an API in a manner contrary to its intended use.
Resource Locking Problems
Weaknesses in this category are related to improper handling of locks
that are used to control access to resources.
Resource Exhaustion
The application is susceptible to generating and/or accepting an
excessive amount of requests that could potentially exhaust
limited resources, such as memory, file system storage, database
connection pool entries, or CPU. This can ultimately lead to a
denial of service that could prevent valid users from accessing
the application.
Transmission of Private Resources into a New Sphere (aka ’Resource
Leak’)
The software makes resources available to untrusted parties when those
resources are only intended to be accessed by the software.
Asymmetric Resource Consumption (Amplification)
Software that fails to appropriately monitor or control resource
consumption can lead to adverse system performance. This
situation is amplified if the software allows malicious users or
attackers to consume more resources than their access level
permits. Exploiting such a weakness can lead to asymmetric
resource consumption, aiding in amplification attacks against
the system or the network.
Insufficient Resource Pool
Resource Management Errors
The software’s resource pool is not large enough to handle peak
demand, which allows an attacker to prevent others from
accessing the resource by using a (relatively) large number of
requests for resources. Frequently the consequence is a
"flood" of connection or sessions.
Weaknesses in this category are related to improper management of
system resources.
finalize() Method Without super.finalize()
The software contains a finalize() method that does not call
super.finalize().
Explicit Call to Finalize
The software makes an explicit call to the finalize() method from
outside the finalizer.
Free of Invalid Pointer Not on the Heap
If free is incorrectly used by a user, it may be possible to gain
control or process execution through the use of a "write,
what, where" primitive.
Uncontrolled Recursion
The product does not properly control the amount of recursion that
takes place, which consumes excessive resources, such as
allocated memory or the program stack.
Unprotected Primary Channel
The software uses a primary channel for administration or restricted
functionality, but it does not properly protect the channel.
Channel Errors
Unprotected Alternate Channel
Weaknesses in this category are related to improper handling of
communication channels.
The software protects a primary channel, but it does not use the same
level of protection for an alternate channel.
Failure to Protect Alternate Path
Proxied Trusted Channel
The product does not sufficiently protect all possible paths that a
user can take to access restricted functionality or resources.
The software controls and trusts both endpoints of a channel, but one
endpoint can be accessed by an attacker and used as a proxy to
interact with the product.
Uncontrolled Search Path Element
Source Code
Weaknesses in this category are typically found within source code.
Use of Inherently Dangerous Function
Channel and Path Errors
The program calls a function that can never be guaranteed to work
safely.
Weaknesses in this category are related to improper handling of
communication channels and access paths.
One or more locations in a static search path is under control of the
attacker.
Unquoted Search Path or Element
The product uses a search path that contains an unquoted element, in
which the element contains whitespace or other separators. This
can cause the product to access resources in a parent path.
Untrusted Search Path
If a function performs automatic path searching for resources and an
attacker can influence that path, then the attacker may be able
to redirect the search path to point to resources under the
control of the attacker.
Deployment of Wrong Handler
The wrong "handler" is assigned to process an object, e.g.
calling a servlet to reveal source code of a .JSP file, or
automatically "determines" type even if contradictory
to an explicitly specified type.
Missing Handler
A handler is not available or implemented.
Dangerous Handler not Disabled During Sensitive Operations
The application does not properly clear or disable dangerous handlers
during sensitive operations, which might allow an attacker to
invoke the handler at unexpected times. This can cause the
software to enter an invalid state.
Handler Errors
Weaknesses in this category are related to improper management of
handlers.
Incomplete Identification of Uploaded File Variables (PHP)
The PHP application uses an old method for processing uploaded files
by referencing the four global variables that are set for each
file (e.g. $varname, $varname_size, $varname_name,
$varname_type). These variables could be overwritten by POST
requests, cookies, or other methods of populating or overwriting
these global variables. This could be used to read or process
arbitrary files by providing values such as
"/etc/passwd".
Unrestricted File Upload
The software allows the attacker to upload or transfer files of
dangerous types that can be automatically processed within the
product’s environment.
User Interface Errors
Weaknesses in this category occur within the user interface.
Initialization and Cleanup Errors
Weaknesses in this category occur in behaviors that are used for
initialization and breakdown.
Data Structure Issues
Duplicate Key in Associative List (Alist)
Duplicate keys in associative lists can lead to non-unique keys being
mistaken for an error.
Deletion of Data Structure Sentinel
The accidental deletion of a data-structure sentinel can cause serious
programming logic problems.
Assignment of a Fixed Address to a Pointer
Weaknesses in this category are related to improper handling of
specific data structures.
The software sets a pointer to a specific address other than NULL or
0.
Pointer Issues
Attempt to Access Child of a Non-structure Pointer
Weaknesses in this category are related to improper handling of
pointers.
Casting a non-structure type to a structure type and accessing a field
can lead to memory access errors or data corruption.
Expression Issues
Use of Incorrect Operator
Weaknesses in this category are related to incorrectly written
expressions within code.
The programmer accidentally uses the wrong operator, which changes
the application logic in security-relevant ways.
Expression is Always False
The software contains an expression that will always evaluate to
false.
Expression is Always True
The software contains an expression that will always evaluate to true.
Incorrect Syntactic Object Comparison
Object references are compared rather than objects themselves
Incorrect Semantic Object Comparison
Failure to sufficiently distinguish or equate two objects based on
their conceptual content.
Indicator of Poor Code Quality
The code has features that do not directly introduce a weakness or
vulnerability, but indicate that the product has not been
carefully developed or maintained.
Behavioral Problems
Behavioral Change in New Version or Environment
Weaknesses in this category are related to unexpected behaviors from
code that an application uses.
A’s behavior or functionality changes with a new version of A, or a
new environment, which is not known (or manageable) by B.
Web Problems
Weaknesses in this category involve interaction errors that are
specific to WWW technology.
Public cloneable() Method Without Final (aka ’Object Hijack’)
A class has a cloneable() method that is not declared final, which
allows an object to be created without calling the constructor.
This can cause the object to be in an unexpected state.
Download of Untrusted Mobile Code Without Integrity Check
Mobile Code Issues
Weaknesses in this category are frequently found in mobile code.
The product downloads external source or binaries and executes it
without sufficiently verifying the origin and integrity of the
downloaded code.
Array Declared Public, Final, and Static
The program declares an array public, final, and static, which is not
sufficient to prevent the array’s contents from being modified.
finalize() Method Declared Public
The program violates secure coding principles for mobile code by
declaring a finalize() method public.
Insufficient Encapsulation
The product does not sufficiently encapsulate critical data or
functionality.
Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the
algorithm that the path is intended to implement, leading to
incorrect behavior any time this path is navigated.
Insufficient Control Flow Management
The code does not sufficiently manage its control flow during
execution, creating conditions in which the control flow can be
modified in unexpected ways.
Compiler Removal of Code to Clear Buffers
Sensitive memory is cleared according to the source code, but compiler
optimizations leave the memory untouched when it is not read
from again, aka "dead store removal."
Byte/Object Code
Configuration
Weaknesses in this category are typically found within byte code or
object code.
Weaknesses in this category are typically introduced during the
configuration of the software.
Location
Code
Weaknesses in this category are organized based on which phase they
are introduced during the software development and deployment
process.
Weaknesses in this category are typically introduced during code
development, including specification, design, and
implementation.
Violation of Secure Design Principles
The product violates well-established principles for secure design.
J2EE Misconfiguration: Plaintext Password in Configuration File
The J2EE application stores a plaintext password in a configuration
file.
J2EE Misconfiguration: Insufficient Session-ID Length
Session ID’s can be used to identify communicating parties in a web
environment. If an attacker can guess or steal a session ID,
then he/she may be able to take over the user’s session (called
session hijacking).
J2EE Misconfiguration: Missing Error Handling
A Web application must define a default error page for 4xx errors
(e.g. 404), 5xx (e.g. 500) errors and to catch
java.lang.Throwable exceptions to prevent attackers from mining
information from the application container’s built-in error
response. The default error page should not display sensitive
information about the software system.
J2EE Misconfiguration: Entity Bean Declared Remote
J2EE Environment Issues
J2EE framework related environment issues with security implications.
Environment
Weaknesses in this category are typically introduced during unexpected
environmental conditions.
Technology-specific Environment Issues
When an application exposes a remote interface for an entity bean, it
might also expose methods that get or set the bean’s data. These
methods could be leveraged to read sensitive information, or to
change data in ways that violate the application’s expectations,
potentially leading to other vulnerabilities.
Weaknesses in this category are typically introduced during unexpected
environmental conditions in particular technologies.
J2EE Misconfiguration: Weak Access Permissions for EJB Methods
If elevated access rights are assigned to EJB methods, then an
attacker can take advantage of the permissions to exploit the
software system.
ASP.NET Misconfiguration: Creating Debug Binary
Debugging messages help attackers learn about the system and plan a
form of attack.
ASP.NET Misconfiguration: Missing Custom Error Handling
An ASP .NET application must enable custom error pages in order to
prevent attackers from mining information from the framework’s
built-in responses.
.NET Environment Issues
This category lists weaknesses related to environmental problems in
.NET framework applications.
Files or Directories Accessible to External Parties
Files or directories are accessible in the environment that should not
be.
ASP.NET Environment Issues
ASP.NET framework/language related environment issues with security
implications.
.NET Misconfiguration: Use of Impersonation
Allowing a .NET application to run at potentially escalated levels of
access to the underlying operating and file systems can be
dangerous and result in various forms of attacks.
ASP.NET Misconfiguration: Password in Configuration File
Storing a plaintext password in a configuration file allows anyone who
can read the file access to the password-protected resource
making them an easy target for attackers.
ASP.NET Misconfiguration: Not Using Input Validation Framework
The ASP.NET application does not use an input validation framework.
ASP.NET Misconfiguration: Use of Identity Impersonation
Configuring an ASP.NET application to run with impersonated
credentials may give the application unnecessary privileges. The
use of impersonated credentials allows an ASP.NET application to
run with either the privileges of the client on whose behalf it
is executing or with arbitrary privileges granted in its
configuration.